[Freeipa-users] Error with kerberos users
Jakub Hrozek
jhrozek at redhat.com
Wed Mar 4 08:30:28 UTC 2015
On Tue, Mar 03, 2015 at 12:59:13PM -0500, Dmitri Pal wrote:
> On 03/03/2015 12:35 PM, Günther J. Niederwimmer wrote:
> >Hello,
> >
> >Am Dienstag, 3. März 2015, 11:15:14 schrieb Dmitri Pal:
> >>On 03/03/2015 10:39 AM, Günther J. Niederwimmer wrote:
> >>>Hello,
> >>>
> >>>what is wrong on my setup?
> >>>This is a "normal" install with ipa-server-install and ipa-client install
> >>>on 5 KVM clients.
> >>>
> >>>CentOs 7
> >>>
> >>>
> >>>
> >>>WARNING: Failed to create krb5 context for user with uid 225200001 for
> >>>server bbs.gjn.prv
> >Can this be correct ??
> >
> >I make a kinit with this user ?
> >
> >
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6912]: doing error downcall
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[32155]: handling gssd upcall
> >>>(/var/lib/nfs/rpc_pipefs/nfs/clnt5)
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[32155]: handle_gssd_upcall: 'mech=krb5
> >>>uid=225200001 enctypes=18,17,16,23,3,1,2 '
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6913]: handling krb5 upcall
> >>>(/var/lib/nfs/rpc_pipefs/nfs/clnt5)
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6913]: process_krb5_upcall: service is
> >>>'<null>'
> >>I assume this is a log from the nfs client shoing the attempt to access
> >>NFS server.
> >>Seems like something is misconfigured in the nfs configuration or there
> >>is a mismatch between the acceptable encryption types on the server and
> >>on the client.
> >Yes this is a log from nfs-client but on the server I have the same Errors.
> >I have all docs I found read .-(.
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6913]: ERROR: GSS-API: error in
> >>>gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code
> >>>may
> >>>provide more information) - No Kerberos credentials available
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6913]: getting credentials for client with
> >>>uid 225200001 for server bbs.gjn.prv
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6913]: CC '/tmp/krb5ccmachine_GJN.PRV'
> >>>being
> >>>considered, with preferred realm 'GJN.PRV'
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6913]: CC '/tmp/krb5ccmachine_GJN.PRV'
> >>>owned by 0, not 225200001
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6913]: getting credentials for client with
> >>>uid 225200001 for server bbs.gjn.prv
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6913]: Error doing scandir on directory
> >>>'/run/user/225200001': No such file or directory
> >Why I have no User (?) and this is not created by a kinit ?
> >
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6913]: WARNING: Failed to create krb5
> >>>context for user with uid 225200001 for server bbs.gjn.prv
> >
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6913]: doing error downcall
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[32155]: handling gssd upcall
> >>>(/var/lib/nfs/rpc_pipefs/nfs/clnt5)
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[32155]: handle_gssd_upcall: 'mech=krb5
> >>>uid=225200001 enctypes=18,17,16,23,3,1,2 '
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6914]: handling krb5 upcall
> >>>(/var/lib/nfs/rpc_pipefs/nfs/clnt5)
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6914]: process_krb5_upcall: service is
> >>>'<null>' Mar 3 16:28:22 smtp1 rpc.gssd[6914]: ERROR: GSS-API: error in
> >>>gss_acquire_cred(): GSS_S_FAILURE (Unspecified GSS failure. Minor code
> >>>may
> >>>provide more information) - No Kerberos credentials available
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6914]: getting credentials for client with
> >>>uid 225200001 for server bbs.gjn.prv
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6914]: CC '/tmp/krb5ccmachine_GJN.PRV'
> >>>being
> >>>considered, with preferred realm 'GJN.PRV'
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6914]: CC '/tmp/krb5ccmachine_GJN.PRV'
> >>>owned by 0, not 225200001
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6914]: getting credentials for client with
> >>>uid 225200001 for server bbs.gjn.prv
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6914]: Error doing scandir on directory
> >>>'/run/user/225200001': No such file or directory
> >>>Mar 3 16:28:22 smtp1 rpc.gssd[6914]: WARNING: Failed to create krb5
> >>>context for user with uid 225200001 for server bbs.gjn.prv
> >Thank's for answer.
> >
>
> If this is the client. Let us step back and ask the following questions:
> a) Are users resolvable using id command and friends?
> b) Can you do kinit as an ipa user from the client?
> c) Can you log in to that system?
>
> In 7 the credential cache created by SSSD is in kernel keyring but it seems
> that NFS client is looking for it in /tmp.
>
> What is the sequence of operations? What do you actually do before you
> observe this error (for example: reboot, log into the system using sssd...)?
Also, it's not really clear to me what the issue actually is. What is
that you're trying to accomplish, which part works and which does not?
More information about the Freeipa-users
mailing list